NSW Health has declined to inform people who may be affected by a privacy breach that exposed data about hospital visitors and the patients they were visiting.
The South Western Sydney Local Health District (SWSLHD) is a subdivision of NSW Health that comprises seven public hospitals, 14 major health community health centres and has a population just shy of one million.
A SWSLHD spokesperson confirmed to Gizmodo the existence of a glitch in its online contact tracing system that was used by visitors, patients and contractors when visiting a facility.
Visitors to the District’s hospitals were directed to a QR code which linked to the online contact tracing registration form. The form was accessible off-premise using the URL.
When entering a phone number in the first field of the form, a visitor’s name, the patient’s name and the ward would show up if the phone number was in the system.
Gizmodo was able to see the details of multiple people who had used the system.
Two days after Gizmodo first informed SWSLHD of the glitch, NSW eHealth’s Head of Communications confirmed the breach via email.
Six days after that, a spokesperson gave a short statement.
“The South Western Sydney Local Health District removed from its website a locally-built pre-registration form for visitors to its facilities as soon as an error was discovered,” they said.
“This pre-registration online form, in use for three weeks, inadvertently auto-populated the names and mobile numbers of previous users, and the name and ward of the patient they were visiting,
“The District is now adopting the Service NSW COVID Safe Check-In app for visitors to our facilities and services.”
The spokesperson declined to answer on the record how many people used the system, how many people may have been affected, or whether those affected would be informed.
Web security consultant Troy Hunt told Gizmodo that he was surprised about the NSW Health district’s response to being informed about a potential privacy breach.
He noted that there was no limits on how often the form could be used, leaving it open to a possible brute forcing which could allow a machine to quickly cycle through a string of phone numbers to find out information.
That being said, he noted that the District’s decision had to balance how likely it was that the breach was exploited against the potential downside of discouraging people from using contact tracing forms.
“Do they have the logging ability to identify if it was even abused?” he asked.
“They’ve got to deal with this in an appropriate way, I feel,” Hunt finished.